Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Friday, February 4, 2011

Packet Analysis With xtractr - Continued

Now that we have our packets indexed, we need to start the web service and load them. The default address to bind to is localhost, on port 8080. If you're working remotely on your xtractr box, and especially if you want others to be able to look at the packets with you, you'll want to change to bind to your networked interface (realize no one can connect to the box and look at the packets or run queries without a Mu Dynamics account).
So we now use the browse parameter, like thus: xtractr browse (index_directory) --host (network_ip_address).

So using our example above, and assuming our box has an IP address of 192.168.100.10, our browse command would be: xtractr browse index_dns --host 192.168.100.10
If we wanted to use a port other than 8080, we could add the --port parameter to bind to a port other than 8080.

Point your browser to ip_address_of_the_xtractr_box:8080 or, if you specified a different port, ip_address:(port_number). Your browser will be directed to the Mu Dynamics xtractr site, where you'll be prompted to login with that account you created at step 1. Now, as you query and drill down, your data will be streamed through the Mu site where all the processing will take place (again note that unless you choose to upload your pcaps, they will remain on your box.)

Mu has a large repository of user supplied pcaps available to the community, to test with and experiment. They encourage you to contribute to the library, and there are some very obscure and esoteric packet captures available to you there.

You can go to the xtractr web site's live demo, at http://www.pcapr.net/xtractr/demo#/flows, and see what all this packet parsing goodness looks like, and play before you download.

(Folks at Mu.. if you come across this post and I've screwed up anything, please Twitter me @JeffSoh and I'll correct it ASAP)